User management

User administrators can create and manage Snowflake users through SQL or the web interface:

  • Using SQL, administrators can perform all user-related tasks, including changing login credentials and defaults for users.

  • Snowsight supports most user-related tasks.

  • Classic Console doesn’t support all user-related tasks, but provides a wizard for creating users and performing most common activities, such as resetting a user’s password.

Types of users

Some user objects correspond to human users while other user objects correspond to a service or application that interacts with Snowflake programmatically without human interaction. When you create a user object, you specify the type of user to differentiate between humans and services. This distinction is important because human users should enroll in multi-factor authentication (MFA), but services and applications should not because there is no human to use a secondary method of authentication.

The TYPE property of a user object determines the type of user. Possible values of this TYPE property are as follows:

PERSON:

User is a human user who can interact with Snowflake.

NULL:

Functions the same PERSON.

SERVICE:

User is a service or application that interacts with Snowflake without human interaction.

To improve the security posture of non-interactive use cases, users with the TYPE property set to SERVICE have the following characteristics:

  • They cannot log in using a password.

  • They cannot log in using SAML SSO.

  • They cannot enroll in MFA.

  • They are not subject to authentication policy MFA enforcement.

  • They cannot have the following properties:

    • FIRST_NAME

    • MIDDLE_NAME

    • LAST_NAME

    • PASSWORD

    • MUST_CHANGE_PASSWORD

    • MINS_TO_BYPASS_MFA

  • The following commands cannot be used:

    • ALTER USER RESET PASSWORD

    • ALTER USER SET DISABLE_MFA = TRUE

SNOWFLAKE_SERVICE:

User that is created by Snowflake for Snowpark Container Services. Administrators cannot create users of type SNOWFLAKE_SERVICE, nor can they change the type of an existing user to be SNOWFLAKE_SERVICE. For more information about SNOWFLAKE_SERVICE users, see Connecting to Snowflake from inside a container.

LEGACY_SERVICE:

A user with their TYPE property set to LEGACY_SERVICE represents a non-interactive integration. It is similar to SERVICE, but allows password and SAML authentication. In a future release, the LEGACY_SERVICE type will be deprecated, at which time all non-interactive use cases will use the SERVICE type with a secure method of authentication.

LEGACY_SERVICE users have the following characteristics:

  • They can log in using password or SAML authentication, unlike SERVICE users.

  • They have the properties of a SERVICE user, but have the PASSWORD and MUST_CHANGE_PASSWORD properties available.

  • They have the command restrictions of a SERVICE user, but can use the ALTER USER RESET PASSWORD command.

  • They are not affected by authentication policy multi-factor authentication (MFA) enforcement. This property lets administrators set account-level authentication policies that require MFA for password authentication without needing to set a user-level authentication policy to prevent LEGACY_SERVICE users from requiring MFA for password authentication.

User roles

Snowflake uses roles to control the objects (virtual warehouses, databases, tables, etc.) that users can access:

  • Snowflake provides a set of predefined roles, as well as a framework for defining a hierarchy of custom roles.

  • All Snowflake users are automatically assigned the predefined PUBLIC role, which enables login to Snowflake and basic object access.

  • In addition to the PUBLIC role, each user can be assigned additional roles, with one of these roles designated as their default role. A user’s default role determines the role used in the Snowflake sessions initiated by the user; however, this is only a default. Users can change roles within a session at any time.

  • Roles can be assigned at user creation or afterwards.

Attention

When deciding the additional roles to assign to a user, as well as designating their default role, consider the following for the predefined ACCOUNTADMIN role (required for performing account-level administrative tasks):

  • Snowflake recommends strictly controlling the assignment of ACCOUNTADMIN, but recommends assigning it to at least two users.

  • ACCOUNTADMIN should never be designated as a user’s default role. Instead, designate a lower-level administrative or custom role as their default.

For more details and best practices related to the ACCOUNTADMIN role, see Access control considerations. For more general information about roles, see Overview of Access Control.

Privileges required to create and modify users

The following roles or privileges are required to manage users in your account:

Create users:

The USERADMIN system role can create users using SQL (CREATE USER).

If you prefer to use a custom role for this purpose, grant the CREATE USER privilege on the account to this role.

Modify users:

Only the role with the OWNERSHIP privilege on a user can modify most user properties using SQL (ALTER USER).

Creating users

You can create a user by using the following interfaces.

Note

The web interface, whether you use Classic Console or Snowsight, requires that you specify a password when you create a user. The CREATE USER command and UserCollection.create Python API do not.

For more information about passwords in Snowflake, see Working with passwords.

Using Snowsight

  1. Sign in to Snowsight.

  2. Select Admin » Users & Roles.

  3. Select + User.

  4. In the User Name field, enter a unique identifier for the user. The user uses this identifier to sign in to Snowflake unless you specify a login name.

  5. Optionally specify an email address for the user in the Email field.

  6. In the Password and Confirm Password fields, enter the password for the user.

  7. Optionally add a comment explaining why you created the user.

  8. Leave the Force user to change password on first time login checkbox selected to force the user to change their password when they sign in.

  9. Optionally select Advanced User Options to specify additional details about the user:

    • Login Name to use instead of the User Name when signing in to Snowflake.

    • Display Name that appears after signing in.

    • First Name and Last Name to complete the user profile.

    • Default Role, Default Warehouse, and Default Namespace.

  10. Select Create User.

Using Classic Console

  1. Select Account Account tab » Users.

  2. Select Create.

  3. In the User Name field, enter a unique identifier for the user.

    Note

    User name is the unique identifier for the user in Snowflake. It is not the user’s login name (i.e. the name the user enters when logging into Snowflake). Snowflake allows users to have different user names and login names, if desired. You specify a login name for the user on the next screen.

  4. In the Password and Confirm Password fields, enter the password for the user.

  5. Leave the Force Password Change checkbox selected to force the user to change their password on their next login; otherwise, clear the checkbox.

  6. Select Next. The Advanced screen opens.

  7. Optionally enter the Login Name, Display Name, and personal information for the user.

    Note

    Users require a login name to log into Snowflake; if you don’t explicitly provide a login name, Snowflake uses their user name as the login name.

  8. Select Next. The Preferences screen opens.

  9. Optionally enter defaults for the user:

    • Virtual warehouse

    • Namespace in the form of db_name or db_name.schema_name

    • Role

  10. Select Finish. Snowflake displays a success message.

Using SQL

Use the CREATE USER command to create a user.

Important

When creating a user, if you assign a default role to the user, you must then explicitly grant this role to the user. For example:

CREATE USER janesmith PASSWORD = 'abc123' DEFAULT_ROLE = myrole MUST_CHANGE_PASSWORD = TRUE;

GRANT ROLE myrole TO USER janesmith;
Copy

Note that the GRANT ROLE command allows you to assign multiple roles to a single user. The web interface does not currently support the same capability.

Using Python

Use the UserCollection.create Python API to create a user.

Important

When creating a user, if you assign a default role to the user, you must then explicitly grant this role to the user. For example:

from snowflake.core.user import Securable, User

my_user = User(
  name="janesmith",
  password="abc123",
  default_role="myrole",
  must_change_password=True)
root.users.create(my_user)

root.users['janesmith'].grant_role(role_type="ROLE", role=Securable(name='myrole'))
Copy

Disabling or enabling a user

Disabling a user prevents the user from logging into Snowflake. You can disable a user through the following interfaces.

Using Snowsight

  1. Sign in to Snowsight.

  2. Select Admin » Users & Roles.

  3. Locate the user that you want to disable and select More options » Disable User.

  4. In the confirmation dialog that opens, select Disable.

To enable a user, follow the same steps, but select Enable User.

Using Classic Console

  1. Click on Account Account tab » Users.

  2. Click on a user row to select it, then click the Disable User button. A confirmation dialog opens.

  3. Click Yes to disable the user.

To enable a user, follow the same steps, but select Enable User.

Using SQL

Use the ALTER USER command to disable or enable a user. For example:

  • Disable a user:

    ALTER USER janesmith SET DISABLED = TRUE;
    Copy

  • Enable a user:

    ALTER USER janesmith SET DISABLED = FALSE;
    Copy

Using Python

Use the UserResource.create_or_alter Python API to disable or enable a user. For example:

  • Disable a user:

    user_parameters = root.users["janesmith"].fetch()
user_parameters.disabled = True
root.users["janesmith"].create_or_alter(user_parameters)
    Copy

  • Enable a user:

    user_parameters = root.users["janesmith"].fetch()
user_parameters.disabled = False
root.users["janesmith"].create_or_alter(user_parameters)
    Copy

Unlocking a user

If a user login fails after five consecutive attempts, the user is locked out of their account for a period of time (currently 15 minutes). After the period of time elapses, the system automatically clears the lock and the user can attempt to log in again.

To unlock the user before the time has elapsed, you can reset the timer using the ALTER USER command or the UserResource.create_or_alter Python API.

The following example resets the timer to 0, which immediately unlocks user janesmith:

ALTER USER janesmith SET MINS_TO_UNLOCK= 0;
Copy

Tip

If a single role has the OWNERSHIP privilege on all Snowflake users, we recommend granting the role to multiple users. That way, if a member of the role is locked out, another member can unlock that user.

Altering session parameters for a user

  • To show the session parameters for a user, use the following SQL syntax:

    SHOW PARAMETERS [ LIKE '<pattern>' ] FOR USER <name>
    Copy

  • To alter the session parameters for a user, use the following syntax:

    ALTER USER <name> SET <session_param> = <value>
    Copy

    For example, allow a user to remain connected to Snowflake indefinitely without timing out:

    ALTER USER janesmith SET CLIENT_SESSION_KEEP_ALIVE = TRUE;
    Copy

  • To reset a session parameter for a user to the default value, use the following syntax:

    ALTER USER <name> UNSET <session_param>
    Copy

Modifying other user properties

You can modify all other user properties using the ALTER USER command or the UserResource.create_or_alter Python API. You can modify many of the same user properties using Snowsight.

For example:

  • Change the last name for user janesmith to Jones:

    SQL:
    ALTER USER janesmith SET LAST_NAME = 'Jones';
    Copy
    Python:
    user_parameters = root.users["janesmith"].fetch()
user_parameters.last_name = "Jones"
root.users["janesmith"].create_or_alter(user_parameters)
    Copy
    Snowsight:

    1. Sign in to Snowsight.

    2. Select Admin » Users & Roles.

    3. Locate the user that you want to edit and select More options » Edit.

    4. For the Last Name field, enter Jones.

    5. Select Save User.

  • Set or change the default warehouse, namespace, primary role, and secondary roles for user janesmith:

    SQL:
    ALTER USER janesmith SET DEFAULT_WAREHOUSE = mywarehouse DEFAULT_NAMESPACE = mydatabase.myschema DEFAULT_ROLE = myrole DEFAULT_SECONDARY_ROLES = ('ALL');
    Copy
    Python:
    user_parameters = root.users["janesmith"].fetch()
user_parameters.default_warehouse = "mywarehouse"
user_parameters.default_namespace = "mydatabase.myschema"
user_parameters.default_role = "myrole"
user_parameters.default_secondary_roles = "ALL"
root.users["janesmith"].create_or_alter(user_parameters)
    Copy
    Snowsight:

    Note

    You cannot set default secondary roles for a user using Snowsight.

    1. Sign in to Snowsight.

    2. Select Admin » Users & Roles.

    3. Locate the user that you want to edit and select More options » Edit.

    4. Open the Advanced User Options and enter values in the relevant fields.

    5. Select Save User.

Viewing users

You can view information about users using the following interfaces.

Using SQL

Use the DESCRIBE USER or SHOW USERS command to view information about one or more users.

For example:

DESC USER janeksmith;
Copy

Using Python

Use the UserResource.fetch Python API to get information about a user.

For example:

my_user = root.users["janesmith"].fetch()
print(my_user.to_dict())
Copy

Use the UserCollection.iter Python API to list users in an account.

For example:

users = root.users.iter(like="jane%")
for user in users:
  print(user.name)
Copy

Using Snowsight

  1. Sign in to Snowsight.

  2. Select Admin » Users & Roles.

  3. Locate the user for which you want to view more details.

    You can review the display name, status, last login time, owning role, and whether or not the user has multi-factor authentication (MFA) set up. If the user has a comment, you can hover over the Comment icon.

  4. Optionally select the user to see more details, such as their default settings, roles that have privileges granted on the user, and the roles granted to the user.

Dropping a user

Dropping a user removes the user credentials from Snowflake.

Important

When you drop a user, the folders, worksheets, and dashboards owned by that user become inaccessible and do not transfer to another user unless sharing is enabled.

Share recipients with View, View + Run, and Edit permissions will retain their assigned permissions and can still access the shared folders, worksheets, and dashboards. However, only users with Edit permissions can modify or delete the shared folders, worksheets, and dashboards. If you don’t give Edit permissions to at least one other user before you drop the owner, that owner’s folders, worksheets, and dashboards cannot be deleted.

If a dropped user’s worksheets do not have sharing enabled, an administrator can recover up to 500 worksheets owned by the user.

Caution

Any worksheets in the Classic Console will be permanently deleted, and dashboards will be inaccessible if they were not previously shared with another user.

Objects created by the user, such as tables or views, are not dropped because they are owned by the user’s active role when the objects were created. Another user assigned the same role or a higher role in the role hierarchy can manage the objects or transfer ownership to another role.

Using Snowsight

  1. Sign in to Snowsight.

  2. Select Admin » Users & Roles.

  3. Locate the user that you want to disable and select More options » Drop.

  4. In the confirmation dialog that opens, select Drop User.

Using Classic Console

  1. Select Account Account tab » Users.

  2. Click a user row to select it, then select Drop. A confirmation dialog opens.

  3. Select Yes to drop the user.

Using SQL

Use the DROP USER command to drop a user.

DROP USER janesmith;
Copy

Using Python

Use the UserResource.drop Python API to drop a user.

root.users["janesmith"].drop()
Copy
Language: English